14ae12f77fb541c97c88669bce1480933b4b0dec5527f5b5a89ddcae9dafa4dd

General

Target

a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
Size

3.0MB
MD5

a92d36a3089f706e9c466515084fe90e
SHA1

b5c00d2e955a312bdc833f318b9ecee9cf870c94
SHA256

14ae12f77fb541c97c88669bce1480933b4b0dec5527f5b5a89ddcae9dafa4dd
SHA512

06ff7da6b333845a90db5a8941b67f94d3b3ad52c058c0964954ff2f804dfd4bf79d1a3af61b6e1ad7864a0aae9c1a2882c87369e8b70cc964793e06375e0ce2
SSDEEP

49152:LN3V9aXvNPd5AGvWpUh1kDYUJzdbWUOMPrJJ3ACY+XODEDd2LzSx+iW0GkAtaPPq:LN3uXvNPoGvW2mLlhPDQpD+WBiHbtna

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1500	irsetup.exe
2892	hexdump.exe

Loads dropped DLL 6 IoCs

pid	Process
1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
2632	cmd.exe
2632	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d45-2.dat	upx
behavioral1/memory/1904-5-0x0000000002AC0000-0x0000000002C3F000-memory.dmp	upx
behavioral1/memory/1500-16-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1500-86-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1500-104-0x0000000000400000-0x000000000057F000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Instaler Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1500	irsetup.exe
1500	irsetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1904 wrote to memory of 1500	1904	a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe	31
PID 1500 wrote to memory of 2632	1500	irsetup.exe	32
PID 1500 wrote to memory of 2632	1500	irsetup.exe	32
PID 1500 wrote to memory of 2632	1500	irsetup.exe	32
PID 1500 wrote to memory of 2632	1500	irsetup.exe	32
PID 2632 wrote to memory of 2892	2632	cmd.exe	34
PID 2632 wrote to memory of 2892	2632	cmd.exe	34
PID 2632 wrote to memory of 2892	2632	cmd.exe	34
PID 2632 wrote to memory of 2892	2632	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:658978 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-2172136094-3310281978-782691160-1000"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.bat" "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0" "C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0"\hexdump.exe "C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" /skip:$000000050 /keep:50 /bare
      4⤵
      Executes dropped EXE
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Filesize
45KB

MD5
b45bc7f3deae68927f3034ec9fd38144

SHA1
ddbc918b49c70066724f1a7a7f7b891f72a630f9

SHA256
59101e77efff53b706a95d150dae0088ac0a8775a65aa7fd22b4d64f680fc872

SHA512
24239c9676c25a179e0c7fae70a6771401ef2a8259128ac87f26941fe192f7be1fe315abe3b484da0bd8885317636531eb3178d0d6911bebabb2e08d3022abc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\config.ini

Filesize
1KB

MD5
0b43abca28b1f104245ac4497ffebe5f

SHA1
bf81a1e57ca6e864dc954a095dadf2cfd5a4b4bf

SHA256
2ccbb0ce8c2d0dfc2d4b593e5c6d27fd622403f4312fde10d28c4f0ca54228bb

SHA512
656b22d33dde7b8cf0f7129a9b097ac8d6705177d0cdd0e74ce094043e0664bf450ca01d39d6ab7c8feeae4d7f12d1b9fb026260d4407301cec8e7db8d0ea947

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\dump.hex

Filesize
290B

MD5
2f38cde71387c08ca700297623dfa577

SHA1
9bbdcb8e4dc95a61d08e88cc5037967d11e0afc5

SHA256
87dd3c5b4c2f2fc74f6bb8ec1c86e3fb4b10bb0c114fa2b066c6c906e7d84d3d

SHA512
c07a83a186043179c3ed2a7af3696726ca5f809143f7e1ab32c745a8237e594539a5f13748e5f04acb31e12edea3dcc68901940d9246753a09329ce37b24955f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.bat

Filesize
61B

MD5
d56597794e2c7690ed7bbc69218a435d

SHA1
8248c1e2631ab4e7ca27ef74fe68f122d757347c

SHA256
f616bcf0ec69272620f36e6a452f532137ea6f6df739ac8257a8d17b1953daca

SHA512
ebffd59d9bc53f6712e369fe18d19c0c1559fe00520c6a39a8ceffb4fa65f5d551b01a62441678e98c2420101f80a83964ed108a8759b330c4d4134ab05ad364

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.exe

Filesize
69KB

MD5
cb6542d26e1c9c8e19db12a7872fb0ea

SHA1
f21855bc5b07f9e810a8a20ebe04acea53876a7e

SHA256
ebe674c69bafc75f1de1d35913f22a275a4b411aa7c661be44fabd8042e3fbb4

SHA512
fa5af0772b4632a1418b6bde2df6a88a12cd7886b89f8ac94a88700ea4d08c8109bd3144923c7e94a69b934dcaa63f4ffd0416d3905402ed0c8ace542aab862e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
563KB

MD5
76da2c7c124183acf74251db2a336a79

SHA1
e3af0b141c37fe8db95397970aac0f9545e8b45a

SHA256
77a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0

SHA512
b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4

Download Submit
memory/1500-16-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1500-86-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1500-104-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1904-5-0x0000000002AC0000-0x0000000002C3F000-memory.dmp

Filesize
1.5MB

Download
memory/1904-14-0x0000000002AC0000-0x0000000002C3F000-memory.dmp

Filesize
1.5MB

Download
memory/2892-56-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing